Privacy Officer Group

To comply with Information Governance standards, every organisation must now have a nominated member of staff responsible for monitoring patient record retrievals and patient data. This person is known as the Privacy Officer.

A Privacy Officer group is automatically created in Control Panel. The Privacy Officer group cannot be empty and must contain at least one member of staff:

  • In England, it is automatically populated with any staff members with the following RBAC roles:

    • ROL020 Practice Manager.

    • ROL001 Senior Partner.

  • In Scotland, Wales and Northern Ireland, the Privacy Officer group is populated with staff members with the following roles, as set up in Control Panel - File Maintenance - Staff - Professional - Role:

    • Practice Manager

    • Senior Partner

To add additional Privacy Officer(s) to this group:

  1. Log on to Vision 3 as a system administrator.

  2. Select Management Tools - Control Panel and then File Maintenance.

  3. Select Staff Groups .

  4. Select Expand to expand the System folder .

  5. Right click on the $Privacyofficer group and select Add Staff Member(s):

  6. From the Staff Member - Add list, highlight your Privacy Officer(s) and select OK.

    Training Tip - To select multiple staff members, press the CTRL key and highlight each staff member.

Please note:

  • If you try to remove all members of the Privacy Officer group the warning 'This group must contain at least one user' displays.

  • The Remove All option is not available when you right click on the $Privacyofficer group.

  • You should carefully consider who the designated Privacy officer is, therefore the Add All option is unavailable when you right click on the $Privacyofficer group.

The Impact of being a Privacy Officer

Deleted Records and Patient Record Auditing (1.37)

To ensure appropriate governance of actions is maintained, your practice designated Privacy Officer(s) receives the following in Daybook or Tasks:

  • A task requiring action - A full alert:

    • When patient data is deleted.

    • When a transferred out patient record is accessed, more than 28 days after being deducted.

  • An announcement - A warning:

    • When a transferred out patient record is accessed less than 29 days after being deducted.

    • When a transferred out patient record is accessed as a result of running a report.

The Privacy Officer(s) must check announcements and tasks of this type to ensure the actions are valid and, where a task is raised, select Complete or it remains outstanding.

The information provided is:

  • Date and time of the action.

  • The staff member logged on.

  • The reason entered.

Note – To print this topic select Print in the top right corner and follow the on-screen prompts.